Posts

A compromised administrator account or an admin becoming a disgruntled ex-employee is a source of serious risk to a business. This is because traditionally admins can do whatever they want, whenever they want. To address this issue, Microsoft have developed Privileged Access Management.

What is Privileged Access Management?

Privileged Access Management works on the principle of zero standing access. That means that admins don’t have the ability to perform potentially damaging actions all of the time.

When they need to perform a task that may expose sensitive data or has potential to cause a lot of damage, they will be given just enough access to complete the task. And even then, only for a specific time and only following an audited approval process.

You can define which tasks require a privileged access request via the admin portal.

Create Privileged Access Policy

When admins want to perform one of these tasks, they can raise their requests for access via the portal or via Powershell.

A sample Powershell request to perform tasks requiring privileged access approval looks like this:

New-ElevatedAccessRequest -Task 'Exchange\New-JournalRule' -Reason 'Setting Journal per request.' -DurationHours 4

Privileged Access PowerShell RequestRequests can be automatically or manually approved, and requestors are notified of the approval outcome via email. All privileged access requests and approval process information is recorded for internal reviews and auditors.Privileged Access Request Email

Privileged Access Management License requirements

Privileged access management requires Microsoft 365 E5, Office 365 E5 or the standalone Advanced Compliance SKU.

 

Outlook for Windows: Shared calendar improvements

Microsoft have updated the Office 365 roadmap with some upcoming improvements to calendar sharing in Office 365.

Apart from being simpler, these new calendar updates are also great for separate companies who use Office 365 and share resources like meeting rooms.

The current external sharing options are difficult to configure and only update every 3 hours. However these new changes will allow for a simple, instantly syncing calendar sharing experience. Both internally and with external Office 365 & Outlook.com users.

See here for more info.

From Microsoft’s notes

Introducing a new service backed model for sharing calendars with other Office 365 subscribers that improves performance and reliability and keeps all calendars in sync.

This update came from our Azure function which monitors the Office 365 Roadmap, generates an image and triggers a Microsoft Flow Approval to collect our input. See our knowledge base for more examples of our business process automation.

As Office 365 evolves, we need to refresh our training materials. So here’s our updated video tutorial on how to install Office from Office 365.

Custom Office 365 Login Screen Branding

You can add your own branding to your users Office 365 login screens via the Azure admin portal. The level of customisation that you get depends on the version of Azure Active Directory that you’ve signed up for.

What’s Azure Active Directory?

Azure Active Directory might not sound familiar to you, though it underpins every Office 365 organisation. All of your Office 365 users are stored in your Azure Active Directory, which is included in Office 365.

How to set up the custom branding for Office 365 login screens

  1. Login to Office 365 as an administrator at https://portal.office.com
  2. Click the App Launcher/Waffle button on the top left of the screenOpen Office 365 App Launcher To Start SetupOfBranding
  3. Click the Admin tileOpen Office 365 Admin Center To Setup Branding
  4. On the left menu, scroll down to Azure ADOpen Azure AD To Customise Office 365 Login Branding
  5. You may need to sign up for an Azure subscription, though you won’t have to put any credit card details in yet.
  6. Click Active Directory on the left menu once you’ve signed up.Select Azure Active Directory
  7. Click the Active Directory that has the same name as your Office 365 subscription, you will likely only have one listed here. Ours is called Ozbizweb Group.Open Azure Active Directory
  8. Click Configure, then click Customize BrandingConfigure Azure Active Directory And Customise Branding

The Customize Default Branding section gives you a few options to customise your Office 365 login experience.Customise Office 365 Default Branding

Banner Logo

Size: 280 x 60 (Max is 300 x 60)

The Banner logo is the logo that appears above the Office 365 login fields. It supports JPEG, though a PNG image with a transparent background is recommended.

Square Logo

Size: 240 x 240

The square logo is used to represent user accounts in your organisation, on Azure AD web UI and in Windows 10. You should also add this one as a PNG with a transparent background, though JPEG is also supported.

Square Logo, Dark theme

Size: 240 x 240

You can upload a separate image for this one if the previous square logo won’t look good on dark backgrounds. Again, PNG with a transparent is recommended, though JPEG is supported.

User ID Placeholder

Typically, this is someone@example.com and is shown in the user ID input field. You can replace this with someone@yourdomain.com if you like. Though you should leave it blank if you’re making apps using Azure AD that will support external users.

Sign In Page Text Heading

This heading will appear above the customised sign in page text which can appear at the bottom of the Office 365 Sign in screen.

Sign In Page Text Body

This can be a short message at the bottom of the Office 365 login screen that can give more information to the users. You can use this to display welcome text, information about password resets, or contacting the helpdesk. This one can’t be longer than 500 characters (250-300 characters recommended).

Click the arrow to proceed to the next screen. This is where you can add the background image that will appear when a user enters their username.Customise Second Page OfOffice 365 Default Branding

Sign In Page Illustration

Size: 1420 x 1200

The message from Microsoft here is to use an abstract illustration or picture. Since the image gets resized and cropped, avoid using rasterized text and keep the “interesting” part of the illustration in the top-left corner. It can be a JPEG, GIF or PNG and should be about 300kb in size. Max size is 500kb.

Sign In Background Colour

Certain users may connect to Office 365 on low bandwidth connections, so you can customise the background colour of the Sign In Page Illustration section which will appear while the image loads. The default is the Office 365 orange/red, though this can be set to a hexadecimal colour code that suits your brand eg #73A2D1

Show or Hide Keep me signed in or KMSI

If you don’t want your users to choose to stay signed into devices, you can hide the ‘Keep me signed in’ checkbox here.

Post Logout Link Label

This is the link text that will appear when your users log out of Office 365. eg. Return to Ozbizweb Group website.

Post Logout Link URL

This is the URL that you’d like the Post Logout Link Label to redirect your users too. Eg. http://www.ozbizweb.com.au

Once you’ve applied your changes, click the Tick icon and wait for the changes to be applied.

Changes Are Saved For Office 365 Branding

 

You can test them out in an In-Private window (CTRL-Shift-P in Edge/Internet Explorer, CTRL-Shift-N in Google Chrome). Just enter your email address, and you should see some of the changes are taking effect. Note that it may take up to an hour to see your branding changes.

The free tier of Azure Active Directory doesn’t appear to display all the customised branding elements. Though some of them, like the Banner Logo and custom background colour before the Sign In Illustration loads, do appear.

Some Office 365 Branding Changes Available For Free

Want to see all your Office 365 login screen branding?

Displaying all of your branding changes is one of the many benefits of Azure Active Directory Premium, and the good news is that you can try it out for free. If you decide that you don’t want to go ahead with Azure Active Directory Premium for all your users, and just want it for the branding, you can assign it to just one user. This seems to enable all the custom branding elements for all users in your organisation.

Here’s how to activate an Azure Active Directory Premium Trial

  1. In the Azure portal, click the quick start cloud icon.Open Quick Start In Azure Active Directory
  2. Scroll down to Get Azure AD Premium and click Try it now.Try Azure Active Directory Premium
  3. Click Activate Trial and the bottom of the screen.Activate Trial For Azure Active Directory Premium
  4. Click the tick to get started. This trial will not auto-renew, and you won’t be charged after the 30 days are up.Activate Azure Active Directory Premium Trial
  5. Wait for the trial to start.Starting Azure Active Directory Premium Trial
  6. Make sure the Azure Active Directory Premium plan is selected and click Assign at the bottom of the screen.Assign Azure Active Directory Premium Licenses
  7. You will be presented with a list of users in your organisation, mouse over the users and click the + icon to select them for license assignment.Choose Users For Azure Active Directory Premium
  8. Click the tick icon and wait for the License plan operation to complete.Licenses Assigned For Azure Active Directory Premium
  9. Open an In-Private window, navigate to https://portal.office.com and enter a user’s email address. You should see all the branding changes you’ve implemented are now active!Office 365 Branding Changes Are Applied

We usually use Skykick for our Office 365 migrations as it helps us to automate the process and ensures a seamless transition onto Exchange Online. Occasionally Skykick will be unavailable to us, which is the case for a small migration I have underway.

The customer is migrating away from a Google Apps tenant that we don’t have administrative access to. This means we’re unable to set up the Google Service Account required by SkyKick, and have to migrate mail, contacts and calendars separately onto Office 365.

Since we have the usernames and passwords for the Google Apps/Google for Work accounts, we can run an IMAP migration within the Exchange Admin Centre. There are some instructions here that detail this process.

If the stars align for you, the migration will run without an issue. Though just in case things go wrong, here’s some solutions to some common IMAP migration issues.

Error: We had trouble signing into this account. Please confirm that you’re using the correct username and password.

Office 365 IMAP Migration Failed Due To Incorrect Password

If you’re receiving this error message and you’re 100% sure that all user details are correct, you may need to Allow less secure apps in the users’ Google Security Settings.

To do this, log on as the user to: https://myaccount.google.com/security?pli=1#signin
If Allow less secure apps is set to OFF, set it to ON.

Allow Less Secure Apps For Google Apps To Office 365 Migration

Check Allow Less Secure Apps For Google Apps To Office 365 Migration

This will allow Office 365 to connect to your accounts via IMAP to download the mail.

E-mail migration batch “migrationname” has finished – with errors

If you try to run the migration again, you will probably get an error report via email that states E-mail migration batch “migrationname” has finished – with errors.

Office 365 IMAP Email Migration Batch Failed

The error message tells you that the migration users already exist, and will need to be removed before we can migrate their mail. The usual method to do this would be to delete the Migration Batch from the Exchange Admin Center.

When attempting to delete the migration, you may notice that the migration is stuck with a status of Removing.

Removing a Migration Batch via PowerShell

To remove a Migration Batch that is stuck with a status of removing, you may need to remove it via PowerShell.

To do this, you’ll need to connect to Exchange Online via PowerShell

Run Get-MigrationBatch

Run Get-MigrationBatch via Powershell in Office 365

You’ll get a list of the current Migration Batches. In my screenshot the status is Syncing, since I forgot to take a screenshot while it was stuck on Removing.

To remove a Migration that’s stuck on Removing or Corrupted, run Remove-MigrationBatch -Identity migrationname

Remove-Migration Batch Via Exchange Online

Remember to replace name with the name of your migration.

If it still does not remove, run Remove-MigrationBatch -Identity migrationname -Force to force it’s removal.

 

The user “email@address.com” already exists, but the migration batch that includes it couldn’t be found

Unfortunately, if you try to run the migration again, you may get the following error in your emailed error report:

The user “email@address.com” already exists, but the migration batch that includes it couldn’t be found. Before you try migrating the user within a batch again, please remove the existing user by running the Remove-MigrationUser cmdlet.

At first I tried to remove all the migration users by signing into Exchange Online via PowerShell and running Get-MigrationUser to get a list of all the current migration users.

Get-MigrationUser In Exchange Online

Then I ran Get-MigrationUser | Remove-MigrationUser

Run Get-MigrationUser Then Remove-MigrationUser

This gave me the following error message for each one:

Could not load the batch information for migration user ’email@address.com’. Associated migration subscription cannot be removed

To fix this, run Get-MigrationUser | Remove-MigrationUser -Force

Force Removal Of Office 365 Migration Users

You can run Get-MigrationUser again to confirm that there are no more registered Migration Users

Save yourself some time

If you want to save some time and force the removal of both Migration Batches and Migration Users, just run the following PowerShell commands in order:

Remember to replace migrationname with the name of your migration batch.

Remove-MigrationBatch -Identity migrationname -Force
Get-MigrationUser | Remove-MigrationUser -Force

Now, try to run the migration again and it should proceed without an issue.

Successful Office 365 Migration From Google Apps

There are two ways to set up an Out of Office Automatic Reply when using Office 365. You can use Outlook, or the Outlook Web App.

Set up an Out of Office reply via Outlook

  1. Open Outlook
  2. Click FileSetup Out Of Office in Outlook
  3. Click Automatic RepliesSetup Automatic Reply for Office 365
  4. Enter your Automatic Reply messageSave Out of Office Message In Outlook For Office 365
  5. You can configure different automatic replies for senders inside or outside the organisation. You can also choose to send Automatic Replies indefinitely, or during a specific time frame.

Set up an Out of Office reply via Outlook

  1. Log into https://outlook.office365.com
  2. Click the Settings cog on the top right:Open Outlook Web App Settings
  3. Click Automatic RepliesOpen Automatic Replies In Office 365 Outlook Web App
  4. Enter your Automatic Reply messageConfigure Automatic Replies Outlook Web App
  5. You can configure different automatic replies for senders inside or outside the organisation. You can also choose to send Automatic Replies indefinitely, or during a specific time frame.
  1. Tap SettingsOpen Settings To Setup Office 365 Email On iPhone
  2. Tap Mail, Contacts, CalendarsTap Mail Contacts Calendars
  3. Tap Add AccountTap Add Account
  4. Tap ExchangeTap Exchange Account
  5. Enter your Office 365 email address and password and tap Next.Enter Office 365 Username And Password
  6. Wait for it to show verifiedWait For Office 365 Username And Password To Verify
  7. Select the services you want to sync to your iPhone or iPadSelect Office 365 Services To Sync
  8. Open the mail app on your phone to view your new mail account. Your Calendar will appear under the Calendar App, Contacts will appear under the Contacts app.